About Store Forum Documentation Contact



Post Reply 
Sql security
Author Message
cmontiel Offline
Member

Post: #1
Sql security
@Esenthel Do you call mysqli_real_escape_string() before send commands to database to avoid sql injection?

IRC: irc.freenode.net
Channel: #Esenthel
(This post was last modified: 05-30-2013 03:29 AM by cmontiel.)
05-30-2013 03:18 AM
Find all posts by this user Quote this message in a reply
Esenthel Offline
Administrator

Post: #2
RE: Sql security
Hello!
I'm using ODBC for handling MySQL and MSSQL (sql.h, SQL* functions)
05-31-2013 01:15 PM
Find all posts by this user Quote this message in a reply
cmontiel Offline
Member

Post: #3
RE: Sql security
I am missing something, as far I know ODBC driver does not handle automatically sql injection attacks, right?

IRC: irc.freenode.net
Channel: #Esenthel
05-31-2013 06:54 PM
Find all posts by this user Quote this message in a reply
jagatai Offline
Member

Post: #4
RE: Sql security
your looking for a 5th leg on the cat, simply use Parameters.AddWithValue() to combat the typical sql injection attacks.

-J
06-01-2013 01:06 AM
Find all posts by this user Quote this message in a reply
cmontiel Offline
Member

Post: #5
RE: Sql security
what are you talking? Parameters.AddWithValue() is for .Net (C#) applications.... I am using EE class (Sql.h)

IRC: irc.freenode.net
Channel: #Esenthel
06-01-2013 01:42 AM
Find all posts by this user Quote this message in a reply
cmontiel Offline
Member

Post: #6
RE: Sql security
I already added regular expressions and disabled some keyboard keys, but I think is not enough. There is something to avoid sql injection with EE?

IRC: irc.freenode.net
Channel: #Esenthel
06-04-2013 01:12 PM
Find all posts by this user Quote this message in a reply
cmontiel Offline
Member

Post: #7
RE: Sql security
Thanks aceio, I didn't know about this kind of firewalls. I will try with dotDefender, I think it's free and looks robust.

Edit: No, it isn't free ^^.

IRC: irc.freenode.net
Channel: #Esenthel
(This post was last modified: 06-04-2013 04:50 PM by cmontiel.)
06-04-2013 04:18 PM
Find all posts by this user Quote this message in a reply
cmontiel Offline
Member

Post: #8
RE: Sql security
(06-04-2013 05:41 PM)aceio76 Wrote:  Here is the link to the free NetScaler: https://store.citrix.com/store/citrix/en...D.28169600

90-day trial. Not very usefull.

Quote:And another link to another product that you might check out as well: http://www.modsecurity.org/

I've installed it. Just some dlls, looks this is a module for webpages.

I am very confused. This firewalls are only for webpages?
(This post was last modified: 06-04-2013 07:17 PM by cmontiel.)
06-04-2013 06:51 PM
Find all posts by this user Quote this message in a reply
Esenthel Offline
Administrator

Post: #9
RE: Sql security
I'm not sure above links are related to this thread, which is about http://en.wikipedia.org/wiki/SQL_injection

There is SQL.string which can be used for encoding strings into custom 'condition' parameters to SQL methods.

I'll do some testing for SQL methods to check if they're safe for potential injection.

If you've discovered some other SQL methods which are unsafe for Str parameters, then let me know and I'll fix them smile
06-05-2013 09:09 PM
Find all posts by this user Quote this message in a reply
cmontiel Offline
Member

Post: #10
RE: Sql security
Thanks for info aceio.

I've successfully installed apache + modSecurity + Got root rules, and is blocking sql injection, Dos attacks and other things ... but on port 80 (http). I don't know how to proceed now because apache can not listen the same port than my game server (.exe)

Anyway, I think esenthel is encrypting tpc packets (their data are random letters and numbers, I used Wireshark pfft).

So even I could listen tcp socket of my game, packets will pass any firewall (NetScale, F5, modSecurity, etc) because they are encrypted!... At least sql injection must be checked in game server.

I can't believe how ppl working on mmos in this forum are not worried about this.

Esenthel Wrote:I'll do some testing for SQL methods to check if they're safe for potential injection.

An example:

Str cmd = S+"SELECT * FROM accounts WHERE accounts.name = '"+name+"';";
sql.command(cmd);

If name = ' OR '1'='1 , there we have sql injection. name should be filtered in some way ( I added regular expressions).
(This post was last modified: 06-07-2013 06:57 AM by cmontiel.)
06-07-2013 06:43 AM
Find all posts by this user Quote this message in a reply
Rubeus Offline
Member

Post: #11
RE: Sql security
cmontiel, you are completely right. Website security is entirely different from application security. Consider also that any SQL calls should be made only on the server. The client should not even have SQL oriented code, and no SQL commands should ever be sent over the network.
What I would personally do is save all data that comes from the user-usernames, passwords, etc- as an encrypted string(similar to Esenthel's UID system). It could even be as simple as converting each character to its ASII value. This fully ensures that any SQL injection attempt will fail, and will help if someone was to somehow gain access to your database and pull up a listing of usernames/passwords.
06-07-2013 06:00 PM
Find all posts by this user Quote this message in a reply
cmontiel Offline
Member

Post: #12
RE: Sql security
encrypted values in database... I don't think is a good idea because performance drops.

And for example, what happen with DoS attacks to EE game server port? It's not only sql injection...

After read and testing a lot, Web applications firewalls (WAF) are only for web applications like a webpage (HTTP, HTTPS, SSL, etc) but they can't listen tcp connections like EE server creates.

I am going to change my question:
someone knows how to block attacks to a EE server port (tcp connection) ?

PD: My head hurts pfft
(This post was last modified: 06-07-2013 06:24 PM by cmontiel.)
06-07-2013 06:20 PM
Find all posts by this user Quote this message in a reply
Rubeus Offline
Member

Post: #13
RE: Sql security
(06-07-2013 06:20 PM)cmontiel Wrote:  encrypted values in database... I don't think is a good idea because performance drops.

And for example, what happen with DoS attacks to EE game server port? It's not only sql injection...

This is a completely separate issue. The ideal setup is that the SQL database is only accessible on the local network and not from the internet at all. It's up to the client/server handshake to verify the integrity and identity of both entities.

(06-07-2013 06:20 PM)cmontiel Wrote:  I am going to change my question:
someone knows how to block attacks to a EE server port (tcp connection) ?

This is where you start getting into expensive corporate-level hardware firewalls. Software firewalls won't cut it for stopping a DoS. My recommendation is this: when you want to get your game up and running and making money, run your server(s) in a datacenter with redundant network connections and standard firewalls(Cisco or equivelant). When you get to the point where there is a real threat of a major DoS or other attack that can take down your system and it's cost effective to do so, you can upgrade with 0 downtime to smarter appliances-one network leg at a time-that will actively block DoS, brute force, and other types of attacks.
Otherwise, if your game remains relatively small, if you detect an attack, you can just view your firewall logs and manually block the offending IP address(es). This is the method we use at my workplace, even though we aren't small.
You might be able to use a software firewall program, but keep in mind that these programs need to use CPU, memory, and hard drive writes(logging). These programs can cripple a server, and even reduce the total number of active players the hardware can support.
06-07-2013 06:50 PM
Find all posts by this user Quote this message in a reply
cmontiel Offline
Member

Post: #14
RE: Sql security
Quote:This is a completely separate issue. The ideal setup is that the SQL database is only accessible on the local network and not from the internet at all. It's up to the client/server handshake to verify the integrity and identity of both entities.

My database is only accesible on local network. But that will not stop any attack to the game server port.

Quote:When you get to the point where there is a real threat of a major DoS or other attack that can take down your system and it's cost effective to do so, you can upgrade with 0 downtime to smarter appliances-one network leg at a time-that will actively block DoS, brute force, and other types of attacks.

In my opinion, if there is a real attack, its too late because you have lost users, money and even the server integrity. I am looking for a preemptive protection..

Quote:Otherwise, if your game remains relatively small, if you detect an attack, you can just view your firewall logs and manually block the offending IP address(es). This is the method we use at my workplace, even though we aren't small.

Hmm it doesn't looks a good solution. Easy as "hacker" change of ip by resetting the router, and you have the problem again in minutes.

I'm starting to give up :(
06-07-2013 07:14 PM
Find all posts by this user Quote this message in a reply
Rubeus Offline
Member

Post: #15
RE: Sql security
(06-07-2013 07:14 PM)cmontiel Wrote:  
Quote:When you get to the point where there is a real threat of a major DoS or other attack that can take down your system and it's cost effective to do so, you can upgrade with 0 downtime to smarter appliances-one network leg at a time-that will actively block DoS, brute force, and other types of attacks.

In my opinion, if there is a real attack, its too late because you have lost users, money and even the server integrity. I am looking for a preemptive protection..

There are a lot of options, but I recommended waiting because they are $$$$$$.

(06-07-2013 07:14 PM)cmontiel Wrote:  
Quote:[quote]
Otherwise, if your game remains relatively small, if you detect an attack, you can just view your firewall logs and manually block the offending IP address(es). This is the method we use at my workplace, even though we aren't small.

Hmm it doesn't looks a good solution. Easy as "hacker" change of ip by resetting the router, and you have the problem again in minutes.

I'm starting to give up :(

There's a timeout period for dynamically allocated IP addresses. It can be anywhere from 5 minutes to 5 days. If you reset your modem/router, it's highly possible you could end up with the same IP. Even if they could reset every few minutes, they would be crippling their own internet connection more than yours. What kind of script kiddy could take that much time away from downloading porn?
Additionally, static IP addresses are becoming more and more common. Cable and fiber generally use static IPs for their customers these days, so unless they are able to get a DDoS going, they are stuck.
Lastly, keep in mind that these kinds of attacks are a lot more rare than those in the security business would have you believe. They like to say that it only takes ~5 minutes to get a virus/hacked if you are connected to the internet with no firewall/antivirus, but I have 2 machines that I run DMZ with no protection that are both perfectly fine.
In the last 2 years, we only had 1 DoS attack at my workplace, and that ended by blocking a single IP. It caused one of our customers a few minutes of discomfort, but nothing more. And this was in retaliation for one of their clients using their network, and in turn, ours, to mail out spam. I think your game will be fine with minimal protections, as long as you aren't scamming. smile
06-07-2013 08:07 PM
Find all posts by this user Quote this message in a reply
Post Reply